CVE-2026-61684

Labring · FastGPT

FastGPT contains hard-coded credentials, which may allow an unauthenticated attacker to gain unauthorized access to sensitive information.

Executive summary

Hard-coded credentials within FastGPT expose the platform to potential unauthorized access by unauthenticated attackers.

Vulnerability

The application utilizes hard-coded credentials (CWE-798), which can be leveraged by an unauthenticated attacker to gain unauthorized access. This vulnerability simplifies the attack path, as no complex exploitation is required to bypass authentication.

Business impact

With a CVSS score of 8.8, this vulnerability poses a significant risk to the confidentiality of knowledge-based AI platforms. Unauthorized access to the platform could lead to the theft of proprietary data, sensitive AI training sets, or the manipulation of application logic, causing substantial business disruption.

Remediation

Immediate Action: Update FastGPT to version 4.15.0-beta5 or later to eliminate the hard-coded credentials.

Proactive Monitoring: Monitor authentication logs for suspicious login attempts and inspect configuration files for signs of credential tampering.

Compensating Controls: Ensure the instance is not exposed to the public internet and use a Web Application Firewall to filter out requests that attempt to exploit known credential patterns.

Exploitation status

Public Exploit Available: false

Analyst recommendation

The reliance on hard-coded credentials represents a fundamental security flaw that must be addressed immediately. Organizations currently running FastGPT version 4.15.0-beta4 must upgrade to version 4.15.0-beta5 to secure the platform against unauthorized access.